0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2

Analysis

max time kernel
150s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
Size

392KB
MD5

1196d95f71c2435813994caa0ae9d7f0
SHA1

645670695f3b63fb7742d76d5c307ea4ecec471b
SHA256

0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2
SHA512

3cad9d76af3bc4c6099295d81fef489307b897d212b0b9f87840a7ec2967758e2b56daa42afce09cb525642a852fb27412a884d78c73eedfcd90748c12aa855e
SSDEEP

12288:et8vVED3Bk0Mr9Vif7/F1hIIaYHuvAIS2Z:et+gvMpVij/F1hV5HuvAI3

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3240	achsv.exe
2848	COM7.EXE
4492	achsv.exe
3048	COM7.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	COM7.EXE

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	COM7.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\C:\\Program Files\\FoxitReader\\bin\\COM7.EXE"	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\FoxitReader\bin\COM7.EXE	COM7.EXE
File created	C:\Program Files\FoxitReader\FoxitReader.exe	COM7.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5052	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
3240	achsv.exe
3240	achsv.exe
2848	COM7.EXE
2848	COM7.EXE
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
4492	achsv.exe
4492	achsv.exe
3048	COM7.EXE
3048	COM7.EXE
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2848	COM7.EXE
2848	COM7.EXE
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2848	COM7.EXE
2848	COM7.EXE
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2848	COM7.EXE
2848	COM7.EXE
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2848	COM7.EXE
2848	COM7.EXE
2848	COM7.EXE
2848	COM7.EXE
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2848	COM7.EXE
2848	COM7.EXE
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2848	COM7.EXE
2848	COM7.EXE
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2848	COM7.EXE
2848	COM7.EXE
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
2848	COM7.EXE
2848	COM7.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3240	achsv.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 3240	2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe	76
PID 2816 wrote to memory of 3240	2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe	76
PID 2816 wrote to memory of 3240	2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe	76
PID 2816 wrote to memory of 2848	2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe	78
PID 2816 wrote to memory of 2848	2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe	78
PID 2816 wrote to memory of 2848	2816	0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe	78
PID 2848 wrote to memory of 5052	2848	COM7.EXE	86
PID 2848 wrote to memory of 5052	2848	COM7.EXE	86
PID 2848 wrote to memory of 5052	2848	COM7.EXE	86
PID 2848 wrote to memory of 4492	2848	COM7.EXE	89
PID 2848 wrote to memory of 4492	2848	COM7.EXE	89
PID 2848 wrote to memory of 4492	2848	COM7.EXE	89
PID 3240 wrote to memory of 3048	3240	achsv.exe	90
PID 3240 wrote to memory of 3048	3240	achsv.exe	90
PID 3240 wrote to memory of 3048	3240	achsv.exe	90

C:\Users\Admin\AppData\Local\Temp\0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe
"C:\Users\Admin\AppData\Local\Temp\0fdeb33a343bce66b409145a0aeaae4f87f2192f1b7688bd462d3beb54dab3a2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3048
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:5052
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
1d2f6220c773802f34660daa3ff7528b

SHA1
148ccc0dca671f981b30ea5f9b73c469ff9a8101

SHA256
34545ac31b8f8fd1e4e7a57184631d1a9e3d29afe59a23cb3f7436c25fd2966f

SHA512
e0f8805afa5531e21322c582ff9409105441919061786b15c5ae17b25cc830f41d74014d9ba4e9eb402b08e5011fd6c952f4e95152c9a3a76fc992ce3adc1017

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
1d2f6220c773802f34660daa3ff7528b

SHA1
148ccc0dca671f981b30ea5f9b73c469ff9a8101

SHA256
34545ac31b8f8fd1e4e7a57184631d1a9e3d29afe59a23cb3f7436c25fd2966f

SHA512
e0f8805afa5531e21322c582ff9409105441919061786b15c5ae17b25cc830f41d74014d9ba4e9eb402b08e5011fd6c952f4e95152c9a3a76fc992ce3adc1017

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
1d2f6220c773802f34660daa3ff7528b

SHA1
148ccc0dca671f981b30ea5f9b73c469ff9a8101

SHA256
34545ac31b8f8fd1e4e7a57184631d1a9e3d29afe59a23cb3f7436c25fd2966f

SHA512
e0f8805afa5531e21322c582ff9409105441919061786b15c5ae17b25cc830f41d74014d9ba4e9eb402b08e5011fd6c952f4e95152c9a3a76fc992ce3adc1017

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
c4633c2e69fe3d75b7c290a478df8e5e

SHA1
b314ef51a91f91a93ff8e183e2060b0dc58fdb3a

SHA256
91772cd1c64978650726b35cd67e211039f2b3b4587995fc58f33d6079245803

SHA512
3bafbb0295914e0be6f90ef0378153d7cc97835a6a97642e2bebaedcb4fa651c0d2c88bf1f64c44d51b69be1f606833da2cbbc9883aad854794d717a3e023500

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
c4633c2e69fe3d75b7c290a478df8e5e

SHA1
b314ef51a91f91a93ff8e183e2060b0dc58fdb3a

SHA256
91772cd1c64978650726b35cd67e211039f2b3b4587995fc58f33d6079245803

SHA512
3bafbb0295914e0be6f90ef0378153d7cc97835a6a97642e2bebaedcb4fa651c0d2c88bf1f64c44d51b69be1f606833da2cbbc9883aad854794d717a3e023500

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
c4633c2e69fe3d75b7c290a478df8e5e

SHA1
b314ef51a91f91a93ff8e183e2060b0dc58fdb3a

SHA256
91772cd1c64978650726b35cd67e211039f2b3b4587995fc58f33d6079245803

SHA512
3bafbb0295914e0be6f90ef0378153d7cc97835a6a97642e2bebaedcb4fa651c0d2c88bf1f64c44d51b69be1f606833da2cbbc9883aad854794d717a3e023500

Download Submit
memory/2848-135-0x0000000000000000-mapping.dmp

Download
memory/3048-141-0x0000000000000000-mapping.dmp

Download
memory/3240-132-0x0000000000000000-mapping.dmp

Download
memory/4492-139-0x0000000000000000-mapping.dmp

Download
memory/5052-138-0x0000000000000000-mapping.dmp

Download